Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Inside the TextSecure, CyanogenMod Integration

Moxie Marlinspike explains how Open WhisperSystems plans to bring end-to-end encrypted secure communications to major platforms such as Android, iOS and popular Web browsers.

Moxie Marlinspike

Moxie Marlinspike has published landmark research on SSL vulnerabilities, taken on certificate authorities and even built an alternative to CAs as we know them today called Convergence. But now that government surveillance and online privacy have been elevated to mainstream dinner-table conversations, the researcher has made a significant dent in the problem of bringing secure communication to the masses.

This has Marlinspike excited, and anxious to bring TextSecure and secure communications to more than just the Android platform; Open WhisperSystems has an iOS client and browser extension on the drawing board.

“As we expand our client base, we’ll be moving to this world where we have truly cross-platform, end to end secure communication with the really massive user base, which is really exciting,” Marlinspike told Threatpost. “This Cyanogen deployment is perhaps the largest deployment of end to end secure messaging ever.”

TextSecure, unlike other secure chat apps such as Silent Text, does not require both ends of the conversation to have an installed client. Nor are the encryption keys securing the chat sessions stored with Open WhisperSystems. That means the organization is not subject to government requests via warrants or National Security Letters for encryption keys or user data.

“That’s definitely happening and an important component of any secure communication system. You want the servers to be completely untrusted,” Marlinspike said. “People get very caught up in where servers are hosted and that really shouldn’t matter. Our position should be that there are really no good governments or safe regions where you can put a server. You have divide servers to be completely untrusted, and you have to have client software that is open source and anyone can verify the security.”

The partnership between the CyanogenMod and Open WhisperSystems began earlier this year when the aftermarket Android firmware provider approached Marlinspike about developing a secure messaging system for their users.

“Our position is one of building a business that is not based on collecting as much information as possible about the user,” Marlinspike said. “Seems like they’re trying to think of ways of improving the user’s default experience with respect to privacy.”

Marlinspike said the native CyanogenMod SMS client was modified to support the TextSecure protocol, and that TextSecure for CyanogenMod runs on the TextSecure V2 protocol and supports forward secrecy and the 3DHE agreement for deniable messages.

“If an outgoing SMS message is addressed to another CyanogenMod or TextSecure user, it will be transparently encrypted and sent over the data channel as a push message to the receiving device. That device will then decrypt the message and deliver it to the system as a normal incoming SMS,” Marlinspike said in the announcement. “The result is a system where a CyanogenMod user can choose to use any SMS app they’d like, and their communication with other CyanogenMod or TextSecure users will be transparently encrypted end-to-end over the data channel without requiring them to modify their work flow at all.”

While the Android rollout is slowly under way, the early feedback is encouraging.

“Mostly, the feedback that we’ve gotten is that it’s too invisible; people can’t even tell that it’s happening. They would like more visual feedback, which is a good problem to have and a good problem to start from. Rather than the opposite which is this is too cumbersome or impossible to use,” Marlinspike said. “Right now people are questioning whether it’s really working. ‘Yes it really is.’”

Visual feedback via some kind of icon or system notification is likely the next priority for the TextSecure-CyanogenMod integration, in particular getting the feedback in whatever form it takes to work with software such as Google Hangouts, for example, that is closed source.

Next off the line could be the iOS client, followed shortly thereafter by a client for Open WhisperSystems’ RedPhone secure voice app and a browser extension that would put Open WhisperSystems on its way to having encrypted cross-platform asynchronous messaging systems anchored by open protocols and open source software.

“We want truly cross-platform support, so that means iOS, Android and something for the desktop,” Marlinspike said. “If you can do something with a browser extension, then that automates a lot of friction for users. You get these messages on your phone and you get them on your desktop which is really an integrated chat experience with whatever device you’re using.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.